b"              U.S. Department of Energy\n              Office of Inspector General\n              Office of Audit Services\n\n\n\n\nAudit Report\nThe Department's Audit Resolution\nProcess\n\n\n\n\nDOE/IG-0639                                 February 2004\n\x0c\x0c\x0cTHE DEPARTMENT'S AUDIT RESOLUTION PROCESS\n\nTABLE OF\nCONTENTS\n\n\n\n              Audit Resolution Process\n\n              Details of Finding ........................................................................1\n\n              Recommendations and Comments.............................................5\n\n\n              Appendices\n\n              1. Objective, Scope, and Methodology ......................................6\n\n              2. Prior Audit Reports.................................................................7\n\n              3. Management Comments........................................................8\n\x0cAUDIT RESOLUTION PROCESS\n\nRecommendation           The Department of Energy's (Department) current audit resolution\nResolution and Closure   process does not always ensure timely and appropriate closure of audit\nProcess                  recommendations. In spite of specific guidance, we noted that\n                         organizations frequently did not establish or conform to target dates\n                         designed to guide the completion of corrective actions. For example,\n                         we observed that the Department had not established target dates for\n                         implementing corrective actions for 44 percent of the 104 judgmentally\n                         sampled Office of Inspector General (OIG) recommendations accepted\n                         by management between 1994 and 2002. Additionally, even when\n                         target dates were set, organizations routinely exceeded expected closure\n                         dates. For example, 57 percent of the recommendations we reviewed\n                         exceeded milestone dates, one by as much as seven years.\n\n                         Our review also disclosed a number of examples where the lack of\n                         timely or complete resolution of audit recommendations prevented the\n                         Department from realizing significant savings or achieving operational\n                         efficiencies. As the following examples demonstrate, the lack of timely\n                         action in implementing corrective actions can have a significant\n                         monetary and operational impact. For instance:\n\n                            \xe2\x80\xa2   In our Audit of Fire and Emergency Medical Services Cost\n                                Sharing Between the Department of Energy and Los Alamos\n                                County (WR-B-96-01, October 2, 1995) we noted that the\n                                Department was paying 99 percent of the County's fire and\n                                emergency medical costs even though it accounted for only\n                                47 percent of all service calls. The OIG estimated that County\n                                services could be subsidized by as much as $18.3 million over\n                                the life of the contract (December 1992 to November 1997) and\n                                recommended that the Department either develop alternate\n                                methods for sharing fire and emergency medical services or\n                                separate responsibility for these services between the\n                                Department and the County. Even though management\n                                concurred with the recommendation, seven years have passed\n                                since the proposed resolution date and payments continue to be\n                                made under the same terms as the above contract. While exact\n                                amounts cannot be determined because the Department had not\n                                tracked usage, we estimate that subsidies over the six years\n                                since the contract was continued \xe2\x80\x93 assuming usage remained\n                                static \xe2\x80\x93 could amount to as much as $22 million.\n\n\n\n\nPage 1                                                                       Details of Finding\n\x0c         \xe2\x80\xa2   During March 1999, our report on Vehicle Fleet Management at\n             the Idaho National Engineering and Environmental Laboratory\n             (WR-B-99-02) noted that their light vehicle fleet was larger than\n             necessary. Based on our recommendation, the Department\n             agreed to review fleet use against mileage standards and dispose\n             of or reassign vehicles as necessary by September 2000. Actual\n             work, however, was not completed until September 2001 and\n             the Department did not realize a potential savings of about\n             $321,000.\n\n         \xe2\x80\xa2   Our report on Groundwater Monitoring Activities at Department\n             of Energy Facilities (DOE/IG-0461, February 2000)\n             recommended that the Department require field managers to\n             evaluate innovative technologies at each site for\n             groundwater monitoring. However, target closure dates were\n             never established, the effort was not closely monitored, and no\n             action was taken on this recommendation because of confusion\n             over who had authority to direct field managers to evaluate such\n             technologies. As a result, the Department did not realize the\n             maximum benefit of implementing innovative groundwater\n             monitoring technologies that may have saved an estimated $3.6\n             million annually.\n\n         \xe2\x80\xa2   With regard to our report on Internet Privacy (DOE/IG-0493,\n             February 2001), we noted that the Department established a\n             target date but did not take agreed upon corrective action.\n             Specifically, our Follow-up Audit on Internet Privacy (OAS-L-\n             03-04, December 2002) disclosed that the Department closed\n             the recommendation to develop Internet privacy specific\n             performance measures in January 2002 when it established a\n             target implementation date but never actually developed needed\n             performance measures. As we observed in our original report,\n             lack of action in this area deprived the Department of a basis to\n             measure and demonstrate its performance in this highly\n             sensitive area.\n\n         \xe2\x80\xa2   We also noted in our Evaluation Report on The Department's\n             Unclassified Cyber Security Program-2003 (IG-0620,\n             September 2003) that a number of cyber security related audit\n             findings had been closed without completion of corrective\n             actions. These findings involved the testing of sites' disaster\n             recovery and continuity of service plans, which allow\n             organizations to ensure continuing operations in the event of a\n             major disaster.\n\nPage 2                                                     Details of Finding\n\x0c                         We also observed that findings and recommendations are often repeated\n                         from site to site, or program to program. For example, we routinely\n                         identify a number of persistent cyber security related problems during\n                         annual reviews such as those required by the Federal Information\n                         Security Management Act and the audit of the Department's\n                         consolidated financial statements. Problems related to risk\n                         management, access and password controls, and contingency and\n                         disaster recovery planning have been observed across the Department's\n                         organizations and geographic locations since Fiscal Year 2001. Most\n                         recently, our evaluation of the Information Technology Management\n                         Letter on the Audit of the Department of Energy's Consolidated\n                         Financial Statements for Fiscal Year 2003 (DOE/OAS-FS-04-01,\n                         November 2003) revealed that 15 of the 17 new findings identified in\n                         2003 were either the same or similar to findings identified at other\n                         organizations in 2002.\n\n\nPerformance Management   The Department did not fully realize the potential benefit of\nand Analyses             recommendations addressing internal control weaknesses because it\n                         lacked focused performance measures and did not perform required\n                         trend or applicability analyses.\n\n                                                 Performance Measures\n\n                         While we observed that the Department had audit resolution\n                         performance measures in place at some point, it subsequently removed\n                         them from its performance plan. In response to our July 1999 report on\n                         audit follow-up, the Department determined that its existing\n                         performance measures were adequate to control the audit resolution\n                         process. Subsequent to that determination, however, the Department\n                         deleted those measures from its performance plan and had not replaced\n                         them. An Office of Management, Budget and Evaluation/Chief\n                         Financial Office (CFO) official told us that the measures were deleted\n                         because management believed that Office of Management and Budget\n                         (OMB) guidance required them to implement measures that were\n                         program and outcome rather than process oriented.\n\n                                            Trend and Applicability Analyses\n\n                         The Department also did not perform trend analyses to identify\n                         systemic problems or routinely review audit findings for applicability to\n\n\n\n\nPage 3                                                                        Details of Finding\n\x0c                         others. Despite recommendations in our previous report and\n                         requirements of OMB Circular A-50, a CFO official indicated that the\n                         Department did not conduct periodic analyses of audit\n                         recommendations to identify trends, system-wide problems, and\n                         potential solutions. Although management usually took corrective\n                         actions on the specific recommendations, the Department did not take\n                         advantage of the opportunity to determine whether similar issues exist\n                         at other programs, activities, or sites.\n\n                         Even though the Department as a whole did not have such a program,\n                         certain segments, such as the Strategic Petroleum Reserve (SPR), had\n                         implemented this approach and report that the benefits far outweigh the\n                         initial investment. SPR officials reported that such reviews enabled\n                         them to determine if similar deficiencies existed at their sites and to\n                         quickly take proactive corrective actions. For instance, as part of their\n                         process, SPR officials reviewed the OIG's audit on Sandia National\n                         Laboratories Procurement Card Program (WR-B-02-03, August 2002)\n                         and decided that they would initiate a review of the procurement card\n                         program at SPR. That review ultimately demonstrated that\n                         improvements were needed in management controls over their\n                         procurement cards.\n\n\nMaximizing Audit Value   The Department was not obtaining the greatest value possible from\n                         audit results and recommendations. For example, without adequate\n                         performance measures to guide completion of corrective actions,\n                         management lacked an important control for ensuring that corrective\n                         actions were appropriate and timely. As a consequence, opportunities\n                         to improve program performance and health and safety and to reduce\n                         the costs of various programs and projects were not realized or delayed\n                         because prompt corrective actions were not taken. For instance, in our\n                         cited examples alone, timely action may have saved the Department as\n                         much as $25.9 million. In our judgment, a lack of trend evaluations or\n                         applicability analyses of audit findings contribute to systemic or\n                         persistent problems. In particular, the failure to identify systemic cyber\n                         security related problems could lead to compromise of the Department's\n                         information systems and increase the risk that vital information will be\n                         corrupted or compromised.\n\n\n\n\nPage 4                                                                         Details of Finding\n\x0cRECOMMENDATIONS       We recommend that the Director, Office of Management, Budget and\n                      Evaluation/Chief Financial Officer and the Associate Administrator for\n                      Management and Administration, National Nuclear Security\n                      Administration, in conjunction with Program Secretarial Officers:\n\n                             1. Establish specific performance measures relating to the\n                                timeliness and effectiveness of audit resolution and follow-\n                                up;\n\n                             2. Identify and periodically report to the Deputy Secretary on\n                                the status of open recommendations including identifying\n                                recommendations for which (a) target closure dates have not\n                                been established, or (b) established target closure dates have\n                                not been met;\n\n                             3. Institutionalize the current initiative to identify the underlying\n                                causes for significant issues indicated by audits by revising\n                                DOE Order 2300.1B to require program officials to review\n                                all OIG and Department related General Accounting Office\n                                findings and recommendations for applicability to their\n                                Departmental element; and,\n\n                             4. Reemphasize the importance of program managers ensuring\n                                that open recommendations are closed only after effective\n                                implementation of corrective actions.\n\n\nMANAGEMENT REACTION   The Acting Director, Office of Management, Budget and Evaluation/\n                      Acting Chief Financial Officer, and the Associate Administrator for\n                      Management and Administration, National Nuclear Security\n                      Administration concurred with the report's recommendations and have\n                      agreed to implement corrective actions. Consolidated comments have\n                      been incorporated verbatim in Appendix 3.\n\n\n\n\nPage 5                                                   Recommendations and Comments\n\x0cAppendix 1\n\nOBJECTIVE     To determine whether the Department had improved its audit resolution\n              process and had taken recommended corrective actions.\n\n\nSCOPE         We conducted the audit from February 2003 through June 2003, at\n              Department of Energy Headquarters and the General Accounting Office\n              (GAO) in Washington, DC; the Oak Ridge Operations Office and UT-\n              Battelle in Oak Ridge, Tennessee; the Ohio Field Office and the\n              Defense Contract Audit Agency (DCAA) in Springdale, Ohio; and\n              Fluor Fernald in Fernald, Ohio.\n\n\nMETHODOLOGY   To accomplish the audit objective, we:\n\n              \xe2\x80\xa2   Reviewed applicable Federal regulations, Departmental orders, and\n                  policies and procedures implemented at Headquarters and sites\n                  visited;\n\n              \xe2\x80\xa2   Held discussions with Department, GAO, DCAA, and contractor\n                  officials regarding their audit follow-up and resolution processes;\n\n              \xe2\x80\xa2   Judgmentally selected a total of 70 audits from the OIG, GAO,\n                  contractor internal audit, and DCAA to determine whether\n                  recommendations were being implemented as asserted by\n                  management in their corrective action plans;\n\n              \xe2\x80\xa2   Reviewed Departmental Audit Resolution and Tracking System\n                  (DARTS) data to determine status of selected OIG and GAO audit\n                  recommendations; and,\n\n              \xe2\x80\xa2   Reviewed performance related information to determine compliance\n                  with the Government Performance and Results Act of 1993.\n\n              The audit was conducted in accordance with generally accepted\n              Government auditing standards for performance audits and included\n              tests of internal controls and compliance with laws and regulations to\n              the extent necessary to satisfy the audit objective. Because\n              our review was limited, it would not necessarily have disclosed all\n              deficiencies that may have existed at the time of our audit. We relied\n              on computer processed data in DARTS and conducted limited tests of\n              data necessary to satisfy our audit objective.\n\n              The exit conference was held with Departmental officials on\n              February 3, 2004.\n\nPage 6                                         Objective, Scope, and Methodology\n\x0cAppendix 2\n                                      PRIOR AUDIT REPORTS\n\n\n    \xe2\x80\xa2    The U.S. Department of Energy's Audit Follow-Up Process (DOE/IG-0447, July 7, 1999).\n         The audit found that the Department's audit follow-up system did not verify that\n         implemented actions addressed the underlying control weakness or share information on\n         potential weaknesses across the Departmental complex. Without a more planned and\n         proactive approach to audit follow-up, the Department cannot ensure that agreed-upon\n         actions will be implemented.\n\n    \xe2\x80\xa2    Follow-Up Audit on Internet Privacy (OAS-L-03-04, December 5, 2002). Our follow-up\n         review did not reveal any persistent cookies on the 20 randomly selected Department web\n         pages that we tested. These test results are consistent with the Department's actions to\n         implement our earlier recommendations. While the Department had made significant\n         progress toward implementing our recommendations, we found that it has not yet adopted\n         meaningful Internet privacy-specific performance measures. According to an official in the\n         Office of the Chief Information Officer, they were considering various alternatives but had\n         not yet determined a suitable method for measuring performance specific to Internet\n         privacy.\n\n\n\n\nPage 7                                                                                      Prior Reports\n\x0cAppendix 3\n\n\n\n\nPage 8       Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 9                   Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 10                  Management Comments\n\x0c                                                                              IG Report No.: DOE/IG-0639\n\n                                    CUSTOMER RESPONSE FORM\n\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its products. We\nwish to make our reports as responsive as possible to our customers' requirements, and, therefore, ask that\nyou consider sharing your thoughts with us. On the back of this form, you may suggest improvements to\nenhance the effectiveness of future reports. Please include answers to the following questions if they are\napplicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or procedures of the\n   audit would have been helpful to the reader in understanding this report?\n\n2. What additional information related to findings and recommendations could have been included in this\n   report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report's overall message more\n   clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues discussed in this\n   report which would have been helpful?\n\nPlease include your name and telephone number so that we may contact you should we have any questions\nabout your comments.\n\nName _____________________________             Date __________________________\n\nTelephone _________________________            Organization ____________________\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at (202) 586-\n0948, or you may mail it to:\n\n                                     Office of Inspector General (IG-1)\n                                           Department of Energy\n                                          Washington, DC 20585\n\n                                        ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of Inspector General,\nplease contact Wilma Slaughter at (202) 586-1924.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                            following address:\n\n\n                  U.S. Department of Energy, Office of Inspector General, Home Page\n                                       http://www.ig.doe.gov\n\n                    Your comments would be appreciated and can be provided on the\n                           Customer Response Form attached to the report.\n\x0c"